US8261065B2 - Protecting caller function from undesired access by callee function - Google Patents

Protecting caller function from undesired access by callee function Download PDF

Info

Publication number
US8261065B2
US8261065B2 US11/770,067 US77006707A US8261065B2 US 8261065 B2 US8261065 B2 US 8261065B2 US 77006707 A US77006707 A US 77006707A US 8261065 B2 US8261065 B2 US 8261065B2
Authority
US
United States
Prior art keywords
function
color
page
stack
caller
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US11/770,067
Other versions
US20080280593A1 (en
Inventor
Uday Savagaonkar
David Durham
Ravi Sahita
Subhash Gutti
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Intel Corp
Original Assignee
Intel Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US11/745,399 external-priority patent/US8645704B2/en
Application filed by Intel Corp filed Critical Intel Corp
Priority to US11/770,067 priority Critical patent/US8261065B2/en
Publication of US20080280593A1 publication Critical patent/US20080280593A1/en
Assigned to INTEL CORPORATION reassignment INTEL CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: DURHAM, DAVID, GUTTI, SUBHASH, SAHITA, RAVI, SAVAGAONKAR, UDAY
Application granted granted Critical
Publication of US8261065B2 publication Critical patent/US8261065B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/448Execution paradigms, e.g. implementations of programming paradigms
    • G06F9/4482Procedural
    • G06F9/4484Executing subprograms
    • G06F9/4486Formation of subprogram jump address

Definitions

  • the present disclosure relates to paged memory access control techniques, and more particularly, to restricting access of the caller function from the callee function.
  • FIG. 1 shows a flowchart illustrating a method for restricting access to a call stack constructed by a plurality of codes of a first function from a second function, according to an exemplary embodiment of the present disclosure
  • FIG. 2 is a block diagram illustrating a traditional method for handling function calls
  • FIG. 3 is a block diagram illustrating a method for handling stack page using transition page, according to an exemplary embodiment of the present disclosure
  • FIG. 4 illustrates a flowchart for performing Access Control List (ACL) check; according to an exemplary embodiment of the present disclosure
  • FIG. 5 illustrates a flowchart for protecting the portion of the call stack of the first function from the second function, according to an exemplary embodiment of the present disclosure
  • FIG. 6 illustrates a flowchart for restoring the portion of the call stack of the first function, according to an exemplary embodiment of the present disclosure
  • FIG. 7 is a block diagram for illustrating access control permission changes on stack page, according to an exemplary embodiment of the present disclosure.
  • FIG. 8 is a format of a parallel page table entry, according to an exemplary embodiment of the present disclosure.
  • memory pages may be access controlled based upon their color, where color may refer to a numeric label in the corresponding page table entry and where pages associated with one another may be given the same color.
  • Code pages may have full access to other code and data pages of the same color whereas access may be restricted between pages of different colors.
  • FIG. 1 is a flowchart illustrating a method for restricting access to a call stack constructed by a plurality of codes of a first function from a second function.
  • the method is initiated at operation 100 .
  • the first function calls the second function, data and addresses of a plurality of codes of the first function are stored in a stack page and colored in the first color assigned to the first function.
  • the call stack constructed by the first function includes a plurality of data including but not limited to private local variables, public variables, return addresses, stack pointer addresses or the like.
  • caller function and callee function share a same stack page, for example first function is a caller function and second function is a callee function.
  • a transition page performs an access control check for verifying whether the first function has permission to call the second function.
  • the code pages of the individual functions may be separated by specifying different colors, or tag values, in their page table entries.
  • the access control check is performed by an access control function which will be described in detail in conjunction with FIG. 4 .
  • the portions of the call stack belonging to the first function is protected from the second function by coloring the range of addresses in the stack page belonging to the first function in the color of the first function.
  • a caller invoked transcolor protection function manipulates the stack page to color it in a manner such that all addresses on the stack page up to the callee function frame are colored in transcolor color.
  • Transcolor colored code pages/functions are given additional privileges allowing them to modify page table entries and therefore modify page table entry color tags.
  • the second function is executed on the stack page, data for the second function are stored on the stack page and colored in the color of the second function code. Furthermore, there is return entry point on the transcolor transition page where the callee function/second function may return. Code at this entry point first calls the function to restore the first function color and thereafter returns to the caller function/first function. As the stack is colored in the transcolor color and accessed by the transcolor function, therefore there are no color violations.
  • the portions of the call stack belonging to the first function is restored by coloring the addresses of the first code in the first color in the stack page. The method terminates at operation 112 .
  • FIG. 2 is a block diagram illustrating a traditional method for handling function calls.
  • the block 202 discloses the caller function/first function, for example bar1 ( ).
  • the function bar1 ( ) pushes all the parameters onto the stack, for example param (k ⁇ 1), param (k ⁇ 2). Thereafter, the function bar1 ( ) calls the function bar2 ( ) by executing a CALL instruction that may also push the return address onto the stack.
  • the block 204 discloses the callee function/second function, for example bar2 ( ).
  • the function bar2 ( ) operates on the parameters on the stack and appends its own call stack. When bar2 ( ) completes, it returns back to the calling function using the return address placed by the caller on the stack.
  • the parameters and local variables on the stack of the caller function are colored in the same color as the parameters of the callee function, thus the callee function can arbitrarily access and modify the parameters and local variables of the caller function.
  • FIG. 3 is a block diagram for illustrating a method for handling stack page using the transcolor transition page.
  • the block 302 is a caller page corresponding to the caller function/first function, for example function bar1 ( ).
  • the block 306 is a callee page corresponding to the callee function/second function, for example bar2 ( ).
  • the block 304 corresponds to the transcolor transition page.
  • the block 302 is colored in the first color
  • the block 304 is colored in a special color (transcolor color) and the block 306 is colored in the third color.
  • the transcolor transition page 304 can recolor any Parallel Page Table Entry (PPTE), which will be described in conjunction with FIG. 8 .
  • the transition page 304 can read/write to pages of any color and can jump in to pages of any color.
  • PPTE Parallel Page Table Entry
  • a code from page of any color can jump (or call, return, etc.) into the transition page 304 , as long as the target address of the jump has a pre-specified alignment (e.g., 128 bytes), ensuring the transition page may execute the desired code in a manner expected by the programmer. Interlacing of the call from the caller function to the callee function is done with the transition page 304 .
  • this transcolor function may be implemented in processor microcode or as part of the CALL and iRET processor instructions.
  • An aligned address on the transition page 304 exposes an entry-point for inter-color calls.
  • This entry point on the other side, could be hooked to the callee function.
  • the code at the entry point can verify that the caller function has access rights, which is described in conjunction with FIG. 4 , manipulate the stack page colors and their ranges, described in conjunction with FIG. 5 , pushes address of the Return Entry Point onto the stack page, and then jumps into the callee function. Since special privileges are provided to the transcolor of the transition page 304 , these interactions may not cause any color violations.
  • a call stack when a call stack is protected by being colored it may be write protected, while read accesses are allowed across different colors reading a page in yet another color, and the specific access policy may vary for different ranges of addresses of the call stack.
  • the caller function/first function for example function bar1 ( ) pushes the parameters on the stack page, for example, param (k ⁇ 1), param (k ⁇ 2). Thereafter, the caller function saves its return address and jumps to the entry point on transition page 304 .
  • the transition page 304 performs Access Control List (ACL) checks for checking whether the caller function has permission to call the callee function which will be described in conjunction with FIG. 4 .
  • ACL Access Control List
  • the PROTECT_STACK/caller protect function is called or the update page color instruction may be executed, by the transition page for protecting the stack data of the first function/caller function from the second function/callee function by coloring the appropriate address ranges of the stack in the transcolor color, which will be described in conjunction with FIG. 5 .
  • the transition page 304 jumps into the callee function and executes the callee function at the correct location.
  • the callee function then may color the uncolored (non-transcolor) portion of the stack in its own color to protect its local variable portion of the calls stack, or this same color assignment may be performed automatically by the transition page logic.
  • the callee has completed it returns to the return entry point specified at the correct transcolored position in the call stack.
  • UNPROTECT_STACK/caller unprotect function is called for unprotecting the call stack of the first function/caller function by recoloring the appropriate ranges of the call stack from the transcolor color of the transition page to the color of the caller function. Thereafter, the code at return entry point returns to the caller function.
  • FIG. 4 illustrates a flowchart for performing Access Control List (ACL) check.
  • a function T_ACL_CHECK/access control function is called in the transition page 304 .
  • the input in the function T_ACL_CHECK is a pointer FUNC_Ptr T_Bar and Previous Page Color (PPC) of the first function/caller function/bar1 ( ).
  • the ACL for the callee function for example function bar2 ( ) is located.
  • a color violation fault is generated at operation 410 .
  • the processor issues a page-fault with the Color Violation (CV) bit in the page-fault error codes set (color-violation exception) whenever a code tries to improperly access a colored page.
  • CV Color Violation
  • DAV Directed Access Vector
  • a valid jump (JMP) or CALL from a different color code has to always go to a DAV instruction.
  • the DAV ensures that a program has been entered at an expected point through a well defined interface.
  • a page-color transition will be always updated in a “previous page color” (PPC) register by the processor, which is used by the DAV to check for a valid transition.
  • PPC previously page color
  • Transcolor transition pages may have implicit entrypoints at regular by alignments on the transition page checked and enforced by the processor. CALLs or JMPs (resulting in an instruction fetch) that access the transition starting with one of these implicit byte alignments will be allowed. However, attempts by non-transcolored color pages to access transcolor transition pages on non-aligned boundaries on the page may result in a color violation fault.
  • FIG. 5 illustrates a flowchart for protecting the first code of the first function/caller function from the second function/callee function.
  • the first code of the first function for e.g. private local variables are to be protected from access by the second function/callee function.
  • the first function pushes the parameters on the stack page that is colored in the caller's color and the caller transitions control to the transition page, the ACL check is performed in the transition page 304 and thereafter the first code of the first function is protected by calling the T_PROTECT_STACK code or instruction that may color the portions of the stack belonging to the caller in the transcolor color by changing the color page in the Parallel Page Table Entries corresponding to the caller portion of the call stack.
  • a function T_PROTECT_STACK is called in the transition page 304 , the input in the function T_PROTECT_STACK is a pointer Func_Ptr BAR.
  • the Func_Ptr Bar is a pointer to the function bar2 ( )/second function/callee function.
  • PPTE Parallel Page Table Entry
  • the parallel page is traversed to find the color of the page containing function bar2 ( ).
  • the PPTE is modified, to color the PPTE such that all the addresses on the stack page, right up to the callee function/bar2 ( ) frame are colored in super color and all the addresses above the callee stack frame are colored in the callee color. Thereafter, the method is terminated at operation 516 . However, if the top and bottom of the stack frame does not belong to the same page, then at operation 512 , a PPTE is located for the stack page comprising the linear address % rbp-4. At operation 514 , the PPTE is modified by coloring the PPTE such that all the addresses on the stack page, right up to the callee function/bar2 ( ) frame is colored in the transcolor color. Thereafter, the control goes to the operation 506 .
  • FIG. 6 illustrates a flowchart for unprotecting the first code of the first function.
  • the control returns back to the transition page 304 .
  • the transition page 304 calls the T_UNPROTECT_STACK function for unprotecting the stack page.
  • the input in the function T_UNPROTECT_STACK is a pointer FUNC_Ptr Bar and PPC of the first function/caller function/bar1 ( ) to determine the appropriate color to change the stack.
  • the Func_Ptr Bar is a pointer to the function bar2 ( )/callee function/second function.
  • a Parallel Page Table Entry is located for the stack page comprising the linear address % rbp-8.
  • the PPTE is modified, to color the PPTE such that all the addresses on the stack page in and above the caller function/bar1 ( ) frame are colored in the PPC of the first function/caller function and the frame below that is colored in the super color as they may correspond to the local call stacks belonging to other colors. Thereafter, the method is terminated at operation 614 .
  • a PPTE is located for the stack page comprising the linear address % rsp.
  • the PPTE is modified by coloring the PPTE such that all the addresses on the stack page in and above the caller function/bar1 ( ) frame is colored in the PPC of the first function/caller function. Thereafter, the control goes to operation 606 .
  • FIG. 7 is a block diagram for illustrating color changes on stack page.
  • the block 702 represents the view of the stack page having local variables of the first function/caller function/bar1 ( ) on the stack page.
  • the block 704 represents the stack page when the caller jumps to the entry point on the transition page 304 .
  • the parameters of the callee function are pushed on the stack page.
  • the stack page is protected by coloring the frame in and above the caller function frame till address of T_RET in a transcolor/super color, the frame above that is colored in the callee function/bar2 ( ) color. Since the frame is colored in the transcolor, the callee function cannot access the local variables of the caller function.
  • the caller function may pass references of the private local variables to the callee function, with the callee function then modifying the private local variables of the caller function.
  • the private local variables of the caller are protected by transcolor as described in FIG. 5 , such an access is not possible, therefore a separate parallel stack page is maintained, with the separate parallel stack page colored in the callee function color,
  • the private local variable of the caller function whose references are to be passed to the callee function are defined on this parallel stack, instead of on the other stack. This is implemented, for example, in C Language by having a rule that the local variable whose pointer is ever used in the program could be passed to a callee by reference. This can be determined in a static analysis phase of the compiler.
  • FIG. 8 is a format of the Parallel Page Table Entry (PPTE).
  • FIG. 8 shows one possible structure of a parallel page-table entry (PPTE).
  • a PPTE is a 64-bit structure with two sixteen-bit fields (COLOR1 and COLOR2) representing the two colors associated with the corresponding virtual page.
  • the “C2 Offset” (22 bits) field indicates byte-offset into the page where COLOR1 ends and COLOR2 begins.
  • the bit patterns corresponding to colors are stored in the two sixteen bit fields.
  • the bit fields H1, R1, W1, and X1 represent hidden, read, write, and execute permissions on the COLOR1 part of the page, while H2, R2, W2, and X2 represent similar permissions on COLOR2 part of the page.
  • the control flow from the caller function to the callee function passes through the transition page, which is colored in a special color, for example, transcolor or super color, and has permissions to modify the various fields of the PPTE, for example recolor the pages.
  • the disclosure works by ensuring that the transition page colors the part of the page containing caller's stack in transcolor before entering the callee function, and restores the original colors before returning to the caller function.
  • embodiments of the disclosure may be embodied in the form of computer-implemented processes and apparatuses for practicing those processes.
  • Embodiments of the disclosure may also be in the form of computer program code containing instructions embodied in tangible media, such as floppy diskettes, CD-ROMs, hard drives, or any other computer-readable storage medium, wherein, when the computer program code is loaded into and executed by a computer, the computer becomes an apparatus for practicing the disclosure.
  • the present disclosure can also be embodied in the form of computer program code, for example, whether stored in a storage medium, loaded into and/or executed by a computer, or transmitted over some transmission medium, such as over electrical wiring or cabling, through fiber optics, or via electromagnetic radiation, wherein, when the computer program code is loaded into and executed by a computer, the computer becomes an apparatus for practicing the disclosure.
  • the computer program code segments configure the microprocessor to create specific logic circuits.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Executing Machine-Instructions (AREA)

Abstract

Disclosed is a method for restricting access of a first code of a plurality of codes and data of a first function from a second function. Thee method comprises calling the second function by the first function, addresses of the plurality of data may be stored in a stack page and colored in a first color (102). The method comprises performing access control check in a transition page for verifying whether the first function has permission to call the second function (104). Further the method comprises protecting the first code from the second function by coloring the data and/or addresses in a second color (106). Furthermore, the method comprises executing the second function by pushing addresses of the second function on the stack page, the addresses of the second function colored in a third color (108) and unprotecting the first code by coloring the addresses of the first code in the first color (110).

Description

CROSS-REFERENCE TO RELATED APPLICATION
This application is a Continuation In Part of U.S. Utility application Ser. No. 11/745,399 entitled, “Protecting Caller Function from Undesired Access by Callee Function”, and filed on May 7, 2007.
FIELD
The present disclosure relates to paged memory access control techniques, and more particularly, to restricting access of the caller function from the callee function.
BRIEF DESCRIPTION OF THE DRAWINGS
The advantages and features of the present disclosure will become better understood with reference to the following detailed description and claims taken in conjunction with the accompanying drawings, wherein like elements are identified with like symbols, and in which:
FIG. 1 shows a flowchart illustrating a method for restricting access to a call stack constructed by a plurality of codes of a first function from a second function, according to an exemplary embodiment of the present disclosure;
FIG. 2 is a block diagram illustrating a traditional method for handling function calls;
FIG. 3 is a block diagram illustrating a method for handling stack page using transition page, according to an exemplary embodiment of the present disclosure;
FIG. 4 illustrates a flowchart for performing Access Control List (ACL) check; according to an exemplary embodiment of the present disclosure;
FIG. 5 illustrates a flowchart for protecting the portion of the call stack of the first function from the second function, according to an exemplary embodiment of the present disclosure;
FIG. 6 illustrates a flowchart for restoring the portion of the call stack of the first function, according to an exemplary embodiment of the present disclosure;
FIG. 7 is a block diagram for illustrating access control permission changes on stack page, according to an exemplary embodiment of the present disclosure; and
FIG. 8 is a format of a parallel page table entry, according to an exemplary embodiment of the present disclosure.
Like reference numerals refer to like parts throughout the description of several views of the drawings.
DETAILED DESCRIPTION OF THE DISCLOSURE
For a thorough understanding of the present disclosure, reference should be made to the following detailed description, including the appended claims, in connection with the above-described drawings. Although the present disclosure is described in connection with exemplary embodiments, the disclosure is not intended to be limited to the specific forms set forth herein. It is understood that various omissions and substitutions of equivalents are contemplated as circumstances may suggest or render expedient, but it is intended to cover the application or implementation without departing from the spirit or scope of the claims of the present disclosure. Also, it is understood that the phraseology and terminology used herein is for the purpose of description and should not be regarded as limiting.
The terms “first,” “second,” and the like, herein do not denote any order, quantity, or importance, but rather are used to distinguish one element from another, and the terms “a” and “an” herein do not denote a limitation of quantity, but rather denote the presence of at least one of the referenced item.
In some embodiments, memory pages may be access controlled based upon their color, where color may refer to a numeric label in the corresponding page table entry and where pages associated with one another may be given the same color. Code pages may have full access to other code and data pages of the same color whereas access may be restricted between pages of different colors.
FIG. 1 is a flowchart illustrating a method for restricting access to a call stack constructed by a plurality of codes of a first function from a second function. The method is initiated at operation 100. At operation 102, the first function calls the second function, data and addresses of a plurality of codes of the first function are stored in a stack page and colored in the first color assigned to the first function. The call stack constructed by the first function includes a plurality of data including but not limited to private local variables, public variables, return addresses, stack pointer addresses or the like. In function calls, caller function and callee function share a same stack page, for example first function is a caller function and second function is a callee function. At operation 104, a transition page performs an access control check for verifying whether the first function has permission to call the second function. The code pages of the individual functions may be separated by specifying different colors, or tag values, in their page table entries. The access control check is performed by an access control function which will be described in detail in conjunction with FIG. 4. At operation 106, the portions of the call stack belonging to the first function is protected from the second function by coloring the range of addresses in the stack page belonging to the first function in the color of the first function. A caller invoked transcolor protection function manipulates the stack page to color it in a manner such that all addresses on the stack page up to the callee function frame are colored in transcolor color. Transcolor colored code pages/functions are given additional privileges allowing them to modify page table entries and therefore modify page table entry color tags. At operation 108, the second function is executed on the stack page, data for the second function are stored on the stack page and colored in the color of the second function code. Furthermore, there is return entry point on the transcolor transition page where the callee function/second function may return. Code at this entry point first calls the function to restore the first function color and thereafter returns to the caller function/first function. As the stack is colored in the transcolor color and accessed by the transcolor function, therefore there are no color violations. At operation 110, the portions of the call stack belonging to the first function is restored by coloring the addresses of the first code in the first color in the stack page. The method terminates at operation 112.
FIG. 2 is a block diagram illustrating a traditional method for handling function calls. The block 202 discloses the caller function/first function, for example bar1 ( ). The function bar1 ( ) pushes all the parameters onto the stack, for example param (k−1), param (k−2). Thereafter, the function bar1 ( ) calls the function bar2 ( ) by executing a CALL instruction that may also push the return address onto the stack. The block 204 discloses the callee function/second function, for example bar2 ( ). The function bar2 ( ) operates on the parameters on the stack and appends its own call stack. When bar2 ( ) completes, it returns back to the calling function using the return address placed by the caller on the stack. Thereafter, the control returns to the caller function. The parameters and local variables on the stack of the caller function are colored in the same color as the parameters of the callee function, thus the callee function can arbitrarily access and modify the parameters and local variables of the caller function.
FIG. 3 is a block diagram for illustrating a method for handling stack page using the transcolor transition page. The block 302 is a caller page corresponding to the caller function/first function, for example function bar1 ( ). The block 306 is a callee page corresponding to the callee function/second function, for example bar2 ( ). The block 304 corresponds to the transcolor transition page. The block 302 is colored in the first color, the block 304 is colored in a special color (transcolor color) and the block 306 is colored in the third color. The transcolor transition page 304 can recolor any Parallel Page Table Entry (PPTE), which will be described in conjunction with FIG. 8. The transition page 304 can read/write to pages of any color and can jump in to pages of any color. Further, a code from page of any color can jump (or call, return, etc.) into the transition page 304, as long as the target address of the jump has a pre-specified alignment (e.g., 128 bytes), ensuring the transition page may execute the desired code in a manner expected by the programmer. Interlacing of the call from the caller function to the callee function is done with the transition page 304. As an alternate embodiment, this transcolor function may be implemented in processor microcode or as part of the CALL and iRET processor instructions.
An aligned address on the transition page 304 exposes an entry-point for inter-color calls. This entry point, on the other side, could be hooked to the callee function. When the caller function makes a call to the entry point, the code at the entry point can verify that the caller function has access rights, which is described in conjunction with FIG. 4, manipulate the stack page colors and their ranges, described in conjunction with FIG. 5, pushes address of the Return Entry Point onto the stack page, and then jumps into the callee function. Since special privileges are provided to the transcolor of the transition page 304, these interactions may not cause any color violations.
In accordance with some embodiments, when a call stack is protected by being colored it may be write protected, while read accesses are allowed across different colors reading a page in yet another color, and the specific access policy may vary for different ranges of addresses of the call stack. In block 302, the caller function/first function, for example function bar1 ( ) pushes the parameters on the stack page, for example, param (k−1), param (k−2). Thereafter, the caller function saves its return address and jumps to the entry point on transition page 304. The transition page 304 performs Access Control List (ACL) checks for checking whether the caller function has permission to call the callee function which will be described in conjunction with FIG. 4. Thereafter, the PROTECT_STACK/caller protect function is called or the update page color instruction may be executed, by the transition page for protecting the stack data of the first function/caller function from the second function/callee function by coloring the appropriate address ranges of the stack in the transcolor color, which will be described in conjunction with FIG. 5. The transition page 304 jumps into the callee function and executes the callee function at the correct location. The callee function then may color the uncolored (non-transcolor) portion of the stack in its own color to protect its local variable portion of the calls stack, or this same color assignment may be performed automatically by the transition page logic. When the callee has completed it returns to the return entry point specified at the correct transcolored position in the call stack. Thereafter, UNPROTECT_STACK/caller unprotect function is called for unprotecting the call stack of the first function/caller function by recoloring the appropriate ranges of the call stack from the transcolor color of the transition page to the color of the caller function. Thereafter, the code at return entry point returns to the caller function.
FIG. 4 illustrates a flowchart for performing Access Control List (ACL) check. At operation 402, a function T_ACL_CHECK/access control function is called in the transition page 304. The input in the function T_ACL_CHECK is a pointer FUNC_Ptr T_Bar and Previous Page Color (PPC) of the first function/caller function/bar1 ( ). At operation 404, the ACL for the callee function, for example function bar2 ( ) is located. At operation 406, it is determined whether the PPC is present in the ACL. Further, it is also determined whether the PPC of the first function has permissions to call the second function. At operation 406, if the PPC of the first function is present in the ACL and has permissions to call the second function, then permission is granted and the first function can call the second function and the method terminates at operation 408. However, if the PPC is not present in the ACL or the PPC of the first function does not have the permission to call the second function, then a color violation fault is generated at operation 410. The processor issues a page-fault with the Color Violation (CV) bit in the page-fault error codes set (color-violation exception) whenever a code tries to improperly access a colored page. In order to prevent a page-fault at every inter-color execution transition, a Directed Access Vector (DAV) instruction is introduced. A valid jump (JMP) or CALL from a different color code has to always go to a DAV instruction. The DAV ensures that a program has been entered at an expected point through a well defined interface. A page-color transition will be always updated in a “previous page color” (PPC) register by the processor, which is used by the DAV to check for a valid transition. The DAV generates a color-violation exception whenever the transition is not a valid one.
Transcolor transition pages may have implicit entrypoints at regular by alignments on the transition page checked and enforced by the processor. CALLs or JMPs (resulting in an instruction fetch) that access the transition starting with one of these implicit byte alignments will be allowed. However, attempts by non-transcolored color pages to access transcolor transition pages on non-aligned boundaries on the page may result in a color violation fault.
To provide the legacy applications for running in a page-colored environment, they are not colored (or they are given the color value 0). Any non-colored process will not be able to access a colored page, but they will be able to access the system services, which are awarded a special transcolor color.
FIG. 5 illustrates a flowchart for protecting the first code of the first function/caller function from the second function/callee function. The first code of the first function, for e.g. private local variables are to be protected from access by the second function/callee function. The first function pushes the parameters on the stack page that is colored in the caller's color and the caller transitions control to the transition page, the ACL check is performed in the transition page 304 and thereafter the first code of the first function is protected by calling the T_PROTECT_STACK code or instruction that may color the portions of the stack belonging to the caller in the transcolor color by changing the color page in the Parallel Page Table Entries corresponding to the caller portion of the call stack. At operation 502, a function T_PROTECT_STACK is called in the transition page 304, the input in the function T_PROTECT_STACK is a pointer Func_Ptr BAR. The Func_Ptr Bar is a pointer to the function bar2 ( )/second function/callee function. At operation 504, it is determined whether the top and bottom of stack frame belong to the same page. If the top and the bottom of stack frame belong to the same page, then at operation 506, a Parallel Page Table Entry (PPTE) is located for the stack page comprising the linear address % rsp-16. At operation 508, the parallel page is traversed to find the color of the page containing function bar2 ( ). At operation 510, the PPTE is modified, to color the PPTE such that all the addresses on the stack page, right up to the callee function/bar2 ( ) frame are colored in super color and all the addresses above the callee stack frame are colored in the callee color. Thereafter, the method is terminated at operation 516. However, if the top and bottom of the stack frame does not belong to the same page, then at operation 512, a PPTE is located for the stack page comprising the linear address % rbp-4. At operation 514, the PPTE is modified by coloring the PPTE such that all the addresses on the stack page, right up to the callee function/bar2 ( ) frame is colored in the transcolor color. Thereafter, the control goes to the operation 506.
FIG. 6 illustrates a flowchart for unprotecting the first code of the first function. After the execution of the second function, the control returns back to the transition page 304. At operation 602, the transition page 304 calls the T_UNPROTECT_STACK function for unprotecting the stack page. The input in the function T_UNPROTECT_STACK is a pointer FUNC_Ptr Bar and PPC of the first function/caller function/bar1 ( ) to determine the appropriate color to change the stack. The Func_Ptr Bar is a pointer to the function bar2 ( )/callee function/second function. At operation 604, it is determined whether the top and bottom of stack frame belong to the same page. If the top and the bottom of stack frame belong to the same page, then at operation 606, a Parallel Page Table Entry (PPTE) is located for the stack page comprising the linear address % rbp-8. At operation 608, the PPTE is modified, to color the PPTE such that all the addresses on the stack page in and above the caller function/bar1 ( ) frame are colored in the PPC of the first function/caller function and the frame below that is colored in the super color as they may correspond to the local call stacks belonging to other colors. Thereafter, the method is terminated at operation 614. However, if the top and bottom of the stack frame does not belong to the same page, then at operation 610, a PPTE is located for the stack page comprising the linear address % rsp. At operation 612, the PPTE is modified by coloring the PPTE such that all the addresses on the stack page in and above the caller function/bar1 ( ) frame is colored in the PPC of the first function/caller function. Thereafter, the control goes to operation 606.
FIG. 7 is a block diagram for illustrating color changes on stack page. The block 702 represents the view of the stack page having local variables of the first function/caller function/bar1 ( ) on the stack page. The block 704 represents the stack page when the caller jumps to the entry point on the transition page 304. The parameters of the callee function are pushed on the stack page. At block 706, the stack page is protected by coloring the frame in and above the caller function frame till address of T_RET in a transcolor/super color, the frame above that is colored in the callee function/bar2 ( ) color. Since the frame is colored in the transcolor, the callee function cannot access the local variables of the caller function. Thereafter at block 708, local variables of the callee function/bar2 ( ) are pushed on the stack page. Further the value of % rbp from the last frame is pushed on the stack page. The callee function executes its code in the callee page 306. At block 710, the value of % rbp is used and the % rbp now points to the value of the % rbp from the last frame on the bottom of the stack page and % rsp points to the PPC value stored on the stack page. Thereafter, at block 712, stack page is colored in the PPC of the first function/caller function. The stack page is colored in the PPC of the first function by using the PPC pushed on the stack page as shown in block 710.
The caller function may pass references of the private local variables to the callee function, with the callee function then modifying the private local variables of the caller function. However, since the private local variables of the caller are protected by transcolor as described in FIG. 5, such an access is not possible, therefore a separate parallel stack page is maintained, with the separate parallel stack page colored in the callee function color, The private local variable of the caller function whose references are to be passed to the callee function are defined on this parallel stack, instead of on the other stack. This is implemented, for example, in C Language by having a rule that the local variable whose pointer is ever used in the program could be passed to a callee by reference. This can be determined in a static analysis phase of the compiler.
FIG. 8 is a format of the Parallel Page Table Entry (PPTE). FIG. 8 shows one possible structure of a parallel page-table entry (PPTE). A PPTE is a 64-bit structure with two sixteen-bit fields (COLOR1 and COLOR2) representing the two colors associated with the corresponding virtual page. The “C2 Offset” (22 bits) field indicates byte-offset into the page where COLOR1 ends and COLOR2 begins. The bit patterns corresponding to colors are stored in the two sixteen bit fields. The bit fields H1, R1, W1, and X1 represent hidden, read, write, and execute permissions on the COLOR1 part of the page, while H2, R2, W2, and X2 represent similar permissions on COLOR2 part of the page.
In the disclosure, the control flow from the caller function to the callee function passes through the transition page, which is colored in a special color, for example, transcolor or super color, and has permissions to modify the various fields of the PPTE, for example recolor the pages. The disclosure works by ensuring that the transition page colors the part of the page containing caller's stack in transcolor before entering the callee function, and restores the original colors before returning to the caller function.
As described above, the embodiments of the disclosure may be embodied in the form of computer-implemented processes and apparatuses for practicing those processes. Embodiments of the disclosure may also be in the form of computer program code containing instructions embodied in tangible media, such as floppy diskettes, CD-ROMs, hard drives, or any other computer-readable storage medium, wherein, when the computer program code is loaded into and executed by a computer, the computer becomes an apparatus for practicing the disclosure. The present disclosure can also be embodied in the form of computer program code, for example, whether stored in a storage medium, loaded into and/or executed by a computer, or transmitted over some transmission medium, such as over electrical wiring or cabling, through fiber optics, or via electromagnetic radiation, wherein, when the computer program code is loaded into and executed by a computer, the computer becomes an apparatus for practicing the disclosure. When implemented on a general-purpose microprocessor, the computer program code segments configure the microprocessor to create specific logic circuits.
The foregoing descriptions of specific embodiments of the present disclosure have been presented for purposes of illustration and description. They are not intended to be exhaustive or to limit the disclosure to the precise forms disclosed, and obviously many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the disclosure and its practical application, to thereby enable others skilled in the art to best utilize the disclosure and various embodiments with various modifications as are suited to the particular use contemplated. It is understood that various omissions and substitutions of equivalents are contemplated as circumstance may suggest or render expedient, but it is intended to cover the application or implementation without departing from the spirit or scope of the claims of the present disclosure.

Claims (18)

1. A method for restricting access to a call stack constructed by a plurality of codes of a first function from a second function, the method comprising:
calling the second function by the first function, wherein data and addresses of the plurality of codes of the first function are stored in a stack page in a memory device and colored in a first color assigned to the first function;
passing control of an order of execution of instructions of the first and second functions to a transition page in a memory device, the transition page configured to receive a call from the first function to the second function and to set a Parallel Page Table Entry (PPTE), the PPTE having a first and at least a second field associated with the first function and the second function, respectively, the first and second field having a first and a second number of bits, respectively, configured to represent colors;
performing an access control check via a transition page for verifying whether the first function has permission to call the second function;
protecting a portion of a call stack of the first function from the second function via the transition page by setting the first number of bits of the first field of the PPTE to a second color;
executing the second function by pushing addresses of the second function on a stack page, the addresses of the second function colored in a third color by setting the second number of bits in the second field via the transition page to represent the third color; and
unprotecting the portion of the call stack of the first function via the transition page by setting the first number of bits of the first field of the PPTE to the first color; and the addresses of the plurality of codes are colored in the first color, the second color and the third color by using bit patterns in a page table entry associated with the stack page.
2. The method of claim 1, further comprising a parallel stack page having addresses of a second code of the plurality of codes of the first function, the addresses of the second code colored in the third color, thereby enabling the second function to access the second code of the first function.
3. The method of claim 2, wherein at least one code includes private local variables of the first function.
4. The method of claim 1, wherein at least one code includes private local variables of the first function.
5. The method of claim 1, wherein performing access control check comprises:
determining whether the first color of the first function is present in an access control list of the second function; and
allowing the first function to call the second function based upon determining the first color of the first function present in the access control list of the second function.
6. The method of claim 1, wherein the stack page is shared dynamically between the first function and the second function.
7. The method of claim 1, wherein restricting access of the plurality of codes of the first function from the second function is used for preventing stack smashing, viruses and worms.
8. A system for protecting a call stack constructed by a plurality of codes of a caller function from a callee function, the system comprising:
a stack page capable of storing addresses of the plurality of codes of the caller function, the addresses colored in a first color;
a transition page comprising:
a stack page in a memory device;
a transition page in a memory device;
an access control function for verifying whether the caller function has permission to call the callee function;
a caller protect function for protecting a call stack of the caller function via the transition page by setting a first number of bits of a first field of a Parallel Page Table Entry (PPTE) to a second color, the PPTE having a first and at least a second field associated with the caller function and the callee function, respectively, the first and second field having a first and a second number of bits, respectively, configured to represent colors; and
a caller unprotect function for restoring the call stack of the caller function via the transition page by setting the first number of bits of the first field of the PPTE to a first color;
wherein the transition page is configured to receive a call from the caller function to the callee function, to control an order of execution of instructions of the caller and callee functions, and to color the call stack of the caller function via the PPTE; and
a callee page capable of executing the callee function by pushing addresses of the callee function on the stack page, the addresses of the callee function colored in a third color by setting the second number of bits in the second field via the transition page to represent the third color; and the addresses of the plurality of codes are colored in the first color, the second color and the third color by using bit patterns in a page table entry associated with the stack page.
9. The system of claim 8, wherein the call stack includes private local variables of the caller function.
10. The system of claim 1, wherein access control function comprises instructions for:
determining whether the first color of the caller function is present in an access control list of the callee function; and
allowing the caller function to call the callee function upon determining the first color of the caller function present in the access control list of the callee function.
11. A storage medium device having stored thereon instructions, for restricting access of a call stack constructed by a plurality of codes of a first function from a second function, that when executed by a machine result in the following:
calling the second function by the first function, wherein data and addresses of the plurality of codes of the first function are stored in a stack page and colored in a first color assigned to the first function;
passing control of an order of execution of instructions of the first and second functions to a transition page, the transition page configured to receive a call from the first function to the second function and to set a Parallel Page Table Entry (PPTE), the PPTE having a first and at least a second field associated with the first function and the second function, respectively, the first and second field having a first and a second number of bits, respectively, configured to represent colors;
performing an access control check via the transition page for verifying whether the first function has permission to call the second function;
protecting a portion of a call stack of the first function from the second function via the transition page by setting the first number of bits of the first field of the PPTE to a second color;
executing the second function by pushing addresses of the second function on the stack page, the addresses of the second function colored in a third color by setting the second number of bits in the second field via the transition page to represent the third color and unprotecting the portion of the call stack of the first function via the transition page by setting the first number of bits of the first field of the PPTE to the first color; and the addresses of the plurality of codes are colored in the first color, the second color and the third color by using bit patterns in a page table entry associated with the stack page.
12. The computer program product of claim 11, further comprising a parallel stack page having addresses of a second code of the plurality of codes of the first function, the addresses of the second code colored in a third color, thereby enabling the second function to access the second code of the first function.
13. The computer program product of claim 12, wherein at least one code includes reference of private local variables of the first function.
14. The computer program product of claim 11, wherein at least one code includes private local variables of the first function.
15. The computer program product of claim 11, wherein performing access control check comprises:
determining whether the first color of the first function is present in an access control list of the second function; and
allowing the first function to call the second function based upon determining the first color of the first function present in the access control list of the second function.
16. The computer program product of claim 11, wherein the stack page is shared dynamically between the first function and the second function.
17. The computer program product of claim 11, wherein restricting access of the plurality of codes of the first function from the second function is used for preventing stack smashing, viruses and worms.
18. The method of claim 5 wherein determining whether the first color of the first function is present in the access control list further comprises:
checking a register for the first color, the register configured to contain a third number of bits associated with at least the first color of the first function; wherein the register is updated by a processor; and
comparing the third number of bits to a list of colors in the access control list of the second function to determine whether the first color is present in the access control list.
US11/770,067 2007-05-07 2007-06-28 Protecting caller function from undesired access by callee function Active 2030-07-30 US8261065B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US11/770,067 US8261065B2 (en) 2007-05-07 2007-06-28 Protecting caller function from undesired access by callee function

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US11/745,399 US8645704B2 (en) 2007-05-07 2007-05-07 Protecting caller function from undesired access by callee function
US11/770,067 US8261065B2 (en) 2007-05-07 2007-06-28 Protecting caller function from undesired access by callee function

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US11/745,399 Continuation-In-Part US8645704B2 (en) 2007-05-07 2007-05-07 Protecting caller function from undesired access by callee function

Publications (2)

Publication Number Publication Date
US20080280593A1 US20080280593A1 (en) 2008-11-13
US8261065B2 true US8261065B2 (en) 2012-09-04

Family

ID=39970000

Family Applications (1)

Application Number Title Priority Date Filing Date
US11/770,067 Active 2030-07-30 US8261065B2 (en) 2007-05-07 2007-06-28 Protecting caller function from undesired access by callee function

Country Status (1)

Country Link
US (1) US8261065B2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9245110B2 (en) 2013-12-17 2016-01-26 International Business Machines Corporation Stack entry overwrite protection
US9519773B2 (en) 2014-09-12 2016-12-13 Intel Corporation Returning to a control transfer instruction

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8645704B2 (en) * 2007-05-07 2014-02-04 Intel Corporation Protecting caller function from undesired access by callee function

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6412071B1 (en) * 1999-11-14 2002-06-25 Yona Hollander Method for secure function execution by calling address validation
US20050010804A1 (en) * 2002-12-19 2005-01-13 Bruening Derek L. Secure execution of a computer program using a code cache
US20060225135A1 (en) * 2005-03-31 2006-10-05 Cheng Antonio S Providing extended memory protection
US20070150729A1 (en) * 2005-12-22 2007-06-28 Kirschner Wesley A Apparatus and method to limit access to selected sub-program in a software system
US20070180524A1 (en) * 2004-03-18 2007-08-02 Korea University Industry And Academy Cooperation Method for sensing and recovery against buffer overflow attacks and apparatus thereof
US20070204259A1 (en) * 2000-01-10 2007-08-30 Wilner David N Protection Domains for a Computer Operating System
US20080140968A1 (en) * 2006-12-12 2008-06-12 Doshi Kshitij A Protecting memory by containing pointer accesses
US20080148399A1 (en) 2006-10-18 2008-06-19 Microsoft Corporation Protection against stack buffer overrun exploitation
US20080162885A1 (en) * 2006-12-28 2008-07-03 Cheng Wang Mechanism for software transactional memory commit/abort in unmanaged runtime environment
US20080282358A1 (en) 2007-05-07 2008-11-13 Intel Corporation Protecting Caller Function from Undesired Access by Callee Function

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6412071B1 (en) * 1999-11-14 2002-06-25 Yona Hollander Method for secure function execution by calling address validation
US20070204259A1 (en) * 2000-01-10 2007-08-30 Wilner David N Protection Domains for a Computer Operating System
US20050010804A1 (en) * 2002-12-19 2005-01-13 Bruening Derek L. Secure execution of a computer program using a code cache
US20070180524A1 (en) * 2004-03-18 2007-08-02 Korea University Industry And Academy Cooperation Method for sensing and recovery against buffer overflow attacks and apparatus thereof
US20060225135A1 (en) * 2005-03-31 2006-10-05 Cheng Antonio S Providing extended memory protection
US20070150729A1 (en) * 2005-12-22 2007-06-28 Kirschner Wesley A Apparatus and method to limit access to selected sub-program in a software system
US20080148399A1 (en) 2006-10-18 2008-06-19 Microsoft Corporation Protection against stack buffer overrun exploitation
US20080140968A1 (en) * 2006-12-12 2008-06-12 Doshi Kshitij A Protecting memory by containing pointer accesses
US20080162885A1 (en) * 2006-12-28 2008-07-03 Cheng Wang Mechanism for software transactional memory commit/abort in unmanaged runtime environment
US20080282358A1 (en) 2007-05-07 2008-11-13 Intel Corporation Protecting Caller Function from Undesired Access by Callee Function

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Final Office Action received for U.S. Appl. No. 11/745,399, mailed on Jan. 11, 2011, 25 Pages.
IEEE Standard for a High Performance Serial Bus, Jul. 22, 1996. *
Non-Final Office Action received for U.S. Appl. No. 11/745,399, mailed on Jul. 20, 2010, pp. 23.

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9245110B2 (en) 2013-12-17 2016-01-26 International Business Machines Corporation Stack entry overwrite protection
US9262626B2 (en) 2013-12-17 2016-02-16 International Business Machines Corporation Stack entry overwrite protection
US9519773B2 (en) 2014-09-12 2016-12-13 Intel Corporation Returning to a control transfer instruction
TWI582635B (en) * 2014-09-12 2017-05-11 英特爾股份有限公司 Returning to a control transfer instruction

Also Published As

Publication number Publication date
US20080280593A1 (en) 2008-11-13

Similar Documents

Publication Publication Date Title
Shanbhogue et al. Security analysis of processor instruction set architecture for enforcing control-flow integrity
JP4759059B2 (en) Page coloring that maps memory pages to programs
US9275225B2 (en) Linear address mapping protection
EP3069254B1 (en) Improved control flow integrity system and method
JP5000573B2 (en) Protected function call
US11748457B2 (en) Systems and methods for policy linking and/or loading for secure initialization
US20130036464A1 (en) Processor operable to ensure code integrity
US9251378B2 (en) Security protection of software libraries in a data processing apparatus
EP3864555B1 (en) Verifying a stack pointer
US9158710B2 (en) Page coloring with color inheritance for memory pages
US8645704B2 (en) Protecting caller function from undesired access by callee function
US8261065B2 (en) Protecting caller function from undesired access by callee function
US20240004967A1 (en) Software protection method and apparatus, electronic device, and storage medium
EP3915028A1 (en) Apparatus and method for enforcing hardware-assisted memory safety
Liu et al. A buffer overflow detection and defense method based on RISC-V instruction set extension
NL2028534B1 (en) Processor for secure data processing
CN111625784B (en) Anti-debugging method of application, related device and storage medium
TW202409842A (en) Exception return state lock parameter
WO2022128142A1 (en) Apparatus and method for managing access to data memory by executable codes based on execution context
Kuzuno et al. Protection Mechanism of Kernel Data Using Memory Protection Key
TW202343257A (en) Memory management
WO2023209323A1 (en) Exception return state lock parameter

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTEL CORPORATION, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:SAVAGAONKAR, UDAY;DURHAM, DAVID;SAHITA, RAVI;AND OTHERS;REEL/FRAME:021843/0394;SIGNING DATES FROM 20070726 TO 20070731

Owner name: INTEL CORPORATION, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:SAVAGAONKAR, UDAY;DURHAM, DAVID;SAHITA, RAVI;AND OTHERS;SIGNING DATES FROM 20070726 TO 20070731;REEL/FRAME:021843/0394

STCF Information on status: patent grant

Free format text: PATENTED CASE

FPAY Fee payment

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 12